tpl: Escape .Title in built-in image and link render hooks

Co-authored-by: Joe Mooring <[email protected]>

2 files changed, 2 insertions, 2 deletions

diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
index 013e31235..875763910 100644
--- a/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
+++ b/tpl/tplimpl/embedded/templates/_default/_markup/render-image.html
@@ -5,7 +5,7 @@
     {{- $src = .RelPermalink -}}
   {{- end -}}
 {{- end -}}
-{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" .Title) -}}
+{{- $attributes := merge .Attributes (dict "alt" .Text "src" $src "title" (.Title | transform.HTMLEscape)) -}}
 <img
   {{- range $k, $v := $attributes -}}
     {{- if $v -}}
diff --git a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
index 8903d3dfb..30e4d2660 100644
--- a/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
+++ b/tpl/tplimpl/embedded/templates/_default/_markup/render-link.html
@@ -17,7 +17,7 @@
     {{- end -}}
   {{- end -}}
 {{- end -}}
-{{- $attributes := dict "href" $href "title" .Title -}}
+{{- $attributes := dict "href" $href "title" (.Title | transform.HTMLEscape) -}}
 <a
   {{- range $k, $v := $attributes -}}
     {{- if $v -}}